Hi, I have FortiClient EMS, FortiManager, and several FortiGates in my environment.EMS is connected to each FortiGate and showing "connected" in the Fabric Connectors;In EMS I configured classification tags to some users;In FortiManager, I have a Global Header Policy applied to all FortiGates;This policy has an EMS classification tag as part of the source match condition.Problem is devices without the EMS tag are still matching the policy. Only troubleshoot I was able to do is running <diag user device list> only to find that there are no tags showing up. Forticlient EMS v7.4.3Fortimanager v7.4.6Fortigate(s) v7.4.7 I would appreciate some help on how to further troubleshoot the issue. Thanks in advance.

jloureiro

Visitor III

Question

FortiGate global header policy not enforcing EMS tag match

Forum|Forum|9 months ago
August 11, 2025
3 replies
1281 views

Hi,

I have FortiClient EMS, FortiManager, and several FortiGates in my environment.

EMS is connected to each FortiGate and showing "connected" in the Fabric Connectors;
In EMS I configured classification tags to some users;
In FortiManager, I have a Global Header Policy applied to all FortiGates;
This policy has an EMS classification tag as part of the source match condition.

Problem is devices without the EMS tag are still matching the policy.

Only troubleshoot I was able to do is running <diag user device list> only to find that there are no tags showing up.

Forticlient EMS v7.4.3

Fortimanager v7.4.6

Fortigate(s) v7.4.7

I would appreciate some help on how to further troubleshoot the issue.

Thanks in advance.

AEK

SuperUser

Hi Joao

When you open the policy from FortiGate WebUI (not FMG) do you see the tags are set up properly?

AEK

jloureiroAuthor

Visitor III

Hi, actually I can't see the tags anywhere inside the policy.

Thanks.

AEK

SuperUser

If you can't see it then you may need to enable Zero Trust Network Access in feature visibility.

AEK

jloureiroAuthor

Visitor III

Thanks for your reply.

Just to make sure we are on the same page, the tags I am trying to enable are ForticlientEMS Classification Tags (like the ones in the image below), and not the Security Posture Tags

Other issue is I am not able to enable the feature Zero Trust Network Access, as the instructions says that it must be enabled via CLI with two commands, however I dont have the set proxy-and-explicit-proxy enable under config system global.

As I said in the first post, this is a firewall header policy created on Fortimanager and pushed to the fortigates, and the tag is correctly presented on the Fortimanager side, my doubt now is if it should be presented in the individual firewalls policy as well.

Thanks again for your support.

funkylicious

SuperUser

hi,

in EMS you would need to ensure that in Fabric&Connectors > Fabric Devices > you have in Tag Types Being Shared , Classification Tags enabled to send to the FortiGates ( in Policy&Objects > ZTNA > Security Posture Tags you should see the CLASS IP tags [ Category: Classification ] from EMS ) and under the FortiGate > Fabric Connectors > EMS , CLI configuration you have pull-tags enabled ( which should be enabled by default if you didnt changed it )

"jack of all trades, master of none"

jloureiroAuthor

Visitor III

Hello,

I noticed that the problem seems to be related to the FortiGate not connecting properly to the fabric.

I am still having some trouble establishing the connection, but I believe that once this issue is resolved, the tags will appear correctly.

Thank you for your support.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded